we are configuring a PHP web application on CentOS and have all our files currently in /var/www/html/project/
Apache is configured to run as apache:apache and has access to the directory above. Right now our files and directories have the following rights:
owner = root group = apache
DIRECTORIES: drwxr-x--- root apache
FILES: -rw-r----- root apache
Is this a safe setup? Or is it better to use a new user e.g. "project" to be the owner of all files and directories?
It's a best practice to have the owner be whatever limited user account is used for uploading/managing the files on the server. The group is often the account that php is running under, so in this case apache would be correct. The other permissions should be set to nothing, as they are. You are close to perfect.
If you have a situation where multiple accounts may be modifying/editing the files you can creat a cron script that chowns the dir recursively every hour or so to maintain correct ownership. The same technique works to keep the permissions correct as well.
Also, you may want to modify the umask of the limited user account that has ownership to be inline with your permission scheme.
You're definitely playing it safe.
Your settings are going to keep you from being able to create additional folders in you DIRECTORIES should you need to on demand via apache.
I'd suggest that you use the following permissions:
Add your developers to the apache group so that the can continue to write to these files should they log in via ssh or ftp.
You can have liberal file permissions if you can trust what users are running them. If you're code is solid then you can allow the apache group to do more with permissions.
Edit: In general give apache:
In the end what it boils down to is only giving the permissions that you must. Make them as conservative as possible and open them up as you develop your application if you need to.
One little thing about groups. You'll see some examples that show this (these are correct settings, too):
These permissions are required for a web application to run because the apache user is not part of the group permissions. In that case, apache is considered everyone so you need to set permissions to allow everyone to interact with your website. An by everyone I don't mean everyone in the world (ie anonymous). I mean everyone one who is currently a user on your server (look in /etc/passwd to get a list).